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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

lnventor(s) : Joerg SCHWENK 

Serial No. To Be Assigned 

Filed : Herewitii 

For METHOD FOR ESTABLISHING A COMMON KEY 

BETWEEN A CENTRAL STATION AND A GROUP OF 
SUBSCRIBERS 

Examiner : To Be Assigned 

Art Unit : To Be Assigned 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

PRELIMINARY AMENDMENT 

SIR: 

Kindly amend the above-identified application before examination, as set 
forth below. 

IN THE TITLE : 

Please replace the title with the following: 
-METHOD FOR ESTABLISHING A COMMON KEY BETWEEN A CENTRAL 
STATION AND A GROUP OF SUBSCRIBERS-. 

IN THE SPECIFICATION : 

Please amend the specification, including abstract, pursuant to the 
attached substitute specification. Also attached is a red-lined copy of the 
specification, indicating deleted and added sections. No new matter has been 
added. 
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IN THE CLAIMS: 



Please cancel original claim 1 and please cancel substitute claim 1 , 
without prejudice. 

Please add the following new claim: 

2. (New) A method for establishing a common key k between a central station Z 
and a group of subscribers T1-Tn, comprising: 

providing a publicly known mathematical group G and an element geG of a 
high order in the group G, so that for the group G and the element g a calculation 
of a discrete logarithm is essentially impossible; 

using a predetermined threshold method, wherein a random number i is 
generated by each subscriber Ti of the group of subscribers T1-Tn, and from the 
element geG and the random number i, the value g' is calculated by each 
subscriber Ti of the group of subscribers T1 -Tn and transmitted to the central 
station Z; in the central station Z, a random number z is generated; from the 
random number z and the values g', the values (g')^ in the group G are calculated, 

from the values (g'f , n shares (s^ sj of the threshold method are derived, and 

from the shares {s^,...,s„), an (n,2n-1) threshold method is constructed, a secret of 
the (n,2n-1) threshold method being the key k to be established; in the central 
station Z, n-1 further shares (Sn+i,...S2n.i) differing from shares (Si,...,Sn) are 
calculated together with the value g^ in the group G and are transmitted to the 
group of subscribers T1-Tn; and for each subscriber Ti of the group of subscribers 
T1-Tn, the key k to be established is reconstructed so that from the value g^ 
transmitted by the central station Z and the random number i of each subscriber Ti 
of the group of subscribers T1-Tn, the value (g^)' in the group G is calculated, and 
that from the resulting value, applying the (n,2n-1) threshold method, the share s, is 
derived, and that using the share Sj and the further shares (Sn+i,...S2n.i) transmitted 
by the central station Z, the key k is reconstructed. 
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REMARKS 



This Preliminary Amendment cancels, without prejudice, original claim 1 
and substitute claim 1 in the underlying PCT Application No. PCT/EP99/07052, 
and adds new claim 2. The new claim conforms to U.S. Patent and Trademark 
Office rules and does not add new matter to the application. 

The amendments to the specification and abstract reflected in the substitute 
specification are to conform the specification and abstract to U.S. Patent and 
Trademark Office rules and to introduce changes made in the underlying PCT 
application, and do not introduce new matter into the application. 

The underlying PCT Application No. PCT/EP99/07052 includes an 
International Search Report, issued January 24, 2000, a copy of which is included. 
The Search Report includes a list of documents that were considered by the 
Examiner in the underlying PCT application. 



an International Preliminary Examination Report, issued October 5, 2000, a copy of 
which is included, including a translation. 



useful. Prompt consideration and allowance of the claims are respectfully 
requested. 



The underlying PCT Application No. PCT/EP99/07052 also includes 



Applicants assert that the present invention is new, non-obvious, and 



Respectfully Submitted, 



KENYON & KENYON 





Richard L. Mayer 
Reg. No. 22,490 



One Broadway 
New York, NY 10004 



(212) 425-7200 
(212) 425-5288 



CUSTOMER NO. 26646 
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[2345/149] 

METHOD FOR ESTABLISHING A COMMON KEY 
BETWEEN A CENTRAL STATION AND A GROUP OF SUBSCRIBERS 

The present invention is directed to a method for establishing 
a common key between a central station and a group of 
subscribers according to the definition of the species in the 
independent claim. There are many diverse encryption methods 
in the related art, and these methods have gained in 
commercial importance. They are used for transmitting 
information over generally accessible transmission media. 
However, only the owner of a cryptographic key is able to read 
this information in plain text. 

A known method for establishing a common key via insecure 
communication channels is, for example, the W. Diffie and W. 
Hellman method (see DH method, W. Diffie and M. Hellmann; see 
"New Directions in Cryptography'', IEEE Transactions on 
Information Theory, IT-22 (6) : 644-654 , November 1976), 
The Dif f ie-Hellmann key exchange [DH76] is based on the fact 
that it is virtually impossible to calculate logarithms modulo 
a large prime number p. Alice and Bob take advantage of this 
fact in the example illustrated below, by each secretly 
choosing a number x and y, respectively, smaller than p (and 
prime to p-1) . They then send each other (consecutively or 
simultaneously) the x-th (and, respectively, y-th) power of a 
publicly known number a. From the received powers, they are 
able to calculate a common key K:-a^ by again performing an 
exponentiation with x and y, respectively. An attacker, who 
sees only and a^, is not able to calculate K therefrom. (The 
only method known today to do so would involve first 
calculating the logarithm, e.g. of to the base a modulo p, 
and then raising to that power.) 
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Alice 

Secretly chooses x 



Forms K: = (a^) = 
Example of the Dif f ie-Helmann key exchange 

The problem that exists in the case of the DH key exchange is 
that Alice does not know whether she is actually communicating 
with Bob or with an impostor. In IPSec, this problem is solved 
by the use of public key certificates in which the identity of 
a subscriber is linked to a public key by a trustworthy 
authority. In this way, the identity of a conversation partner 
is can be verified. 

The DH key exchange can also be implemented using other 
mathematical structures, such as finite fields GF(2^) or 
elliptical curves. With such alternatives, one can improve 
performance . 

However, this method is only suitable for agreement of a key 
between two subscribers. 

Various attempts have been made to extend the DH method to 
three or more subscribers (DH groups) . M. Steiner, G. Tsudik, 
and M. Waidner provide an overview of the state of the art in 
^'Dif f ie-Hellman Key Distribution Extended to Group 
Communication", Proc . 3rd ACM Conference on Computer and 
Communications Security, March 1996, New Delhi, India. 

The following table illustrates an example where the DH method 
is extended to three subscribers A, B and C (in each case, 
calculations are mod p) : 
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Bob 

-> 

Secretly chooses y 



Forms K: =(a^)^ - 





A-^B 


B-^C 




2 St 3;;ound 








2nd 3^ound 


gca 







Once these two rounds have been carried out, each of the 
subscribers is able to calculate the secret key g^^^ mod 'p. 

In all of these extensions, at least one of the following 
problems occurs : 

The subscribers must be arranged in a certain manner, in 

the above example, for instance, in a circle. 

The subscribers have no influence on the key selection 

vis-a-vis the central station. 

The number of rounds is dependent on the number of 
subscribers . 

As a general rule, these methods are difficult to implement 
and require substantial computational outlay. 

Another method for establishing a common key is known from the 
German Patent DE 195 38 385.0. In this method, however, the 
central station must know the secret keys of the subscribers. 

An approach is also known from Burmester, Desmedt, "'A Secure 
and Efficient Conference Key Distribution System", Proc . 
EUROCRYPT' 94, Springer LNCS , Berlin 19 94, where two rounds are 
required to generate the key, it being necessary to send n 
communications of a length of p = approx. 1000 bits through 
the central station for n subscribers in the second round. 
A cryptographic method described as the (n,t) threshold method 
is also known. In an (n,t) threshold method, a key k can be 
decomposed into t parts (referred to as shadows) , in such a 
way that this key k can be reconstructed from any n of the t 
shadows (see Beutelspacher , Schwenk, Wolf enstetter : Moderns 
Verf^hren der Kryptographie (2nd edition) , Vieweg Publishers, 
Wiesbaden, 1998) . 



NY01 364264 v 1 



3 



It is intended that the present method for generating a common 
key between a central station and a group of at least three 
subscribers have the same security standards as the DH method. 
In this context, however, the method should be simple to 
implement and require minimal computational outlay. It should 
be so conceived that there is no need, in the process, for the 
subscribers' secret keys to be made known to the central 
station. 

The method according to the present invention is equal to this 
task. It is based on the same mathematical structures as the 
DH method and, therefore, has comparable security features. In 
comparison to the group DH methods proposed in known methods 
heretofore, it is substantially more efficient with respect to 
computational outlay and communication requirements. 

The operating principle of the method according to the present 
invention is elucidated in the following. In this instance, 
the central station is denoted by Z, defined subscribers in 
the method by Tl-Tn, and every single subscriber, who is not 
specifically named, by Ti . The publicly known components of 
the method include a publicly known mathematical group G, 
preferably the multiplicative group of all integral numbers 
modulo a large prime number p, and an element g of the group 
G, preferably a number 0<g<p having a high multiplicative 
order. For group G, however, other suitable mathematical 
structures can also be used, e.g., the multiplicative group of 
a finite field, or the group of the points of an elliptical 
curve . 

The method is carried out in three work steps. 
In the first step, a communication in the form (Ti, g^ mod p) 
is sent by each subscriber Ti to the central station, i being 
a random number of subscriber Ti selected by a random number 
generator . 

In the second work step, in central station Z: 
NY01 364264 v 1 ^ 



- A random number z is generated, and the number (g^) ^ mod p 
is calculated for each subscriber Ti . 

- From these n numbers, n shares are then differentiated for n 
subscribers in central station Z, using a generally known 
(n, 2n-l) threshold method. 

- n-1 further shares s^-s"^"^ are selected in central station Z 
and sent, together with the number g^ mod to all 
subscribers Tl -Tn . 

In the third work step, the common key k is calculated for 
each subscriber Ti, 

- (g^) mod p = (g^) ^ mod p being calculated; 

- from this, a share of the threshold method being 
differentiated; and 

- on the basis of this share and s^,,.,s'^"^, common key k being 
determined as the secret . 

On the basis of a practical example, the method according to 
the present invention is elucidated in the following for three 
subscribers A, B, and C, as well as a central station Z. 
However, the number of subscribers can be increased to any 
desired number. In this example, the length of number p is 
1024 bits; g has a multiplicative order of at least 2^^°. 

The method in accordance with the present invention is carried 
out in accordance with the following method steps: 

1. Subscribers A, B and C send g^ mod p, g^ mod p and g^ mod p 
to central station Z. 

2. g^^ mod p, g^^ mod p and g""^ mod p are calculated in central 
station Z, in each case the 128 least significant bits 
thereof being used as shares s^^^, s^ and, respectively, s^. In 
central station Z, applying the (n,2,-l) threshold method, a 
2'''^ degree polynomial P (x) , which passes through points 
(1,S;^), (2,Sb), and (3,3^) and is uniquely defined by these 
points, is calculated over a finite field GF(2^^^). Common 
key k is the point of intersection of this polynomial with 
the y-axis, i.e., k; =P(0). Central station Z transmits g^ 
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mod p, Si;=P{4) and 83;=? (5) to subscribers A, B and C. 
3. For subscriber A, (g^)^ mod p is calculated. In the result, 
subscriber A having the 128 least significant bits of this 
value receives share s^, which, together with shares s^ and 
S2 is sufficient to determine polynomial P'(x) and, thus, 
also key k. One proceeds analogously for subscribers B and 
C. 

The method described above makes do with the minimum number of 
two rounds between subscribers Tl-Tn and central station Z. In 
contrast to the Burmester and Desmedt approach, the outlay for 
character strings to be transmitted by the central station to 
the n subscribers can be reduced in the second round to a 
length of 12 8 bits per subscriber. 
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what is claimed is: 



1. A method for establishing a common key k between a 
central station Z and a group of subscribers Tl-Tn, 
including a publicly known mathematical group G and an 
element geG of a high order in the group G, so that for 
group G and the element g, the calculation of the 
discrete logarithm is virtually impossible, 
wherein 

a) a random number (i) is generated by each subscriber 
(Ti) and, from the known element geG and the random 
number (i) in question, the value (g"") is calculated 
by each subscriber (Ti) and transmitted to the 
central station (Z) ; 

b) in the central station (Z) , a random number (z) is 
generated; from the random number (2) and the 
received values (g^) , the values (g^) ^ in G are 
calculated; from these values, n shares (Si,.»,Sn) of 
a threshold method are derived; and 

from the shares (Si,..,,Sn)/ a (n,2,"l) threshold 
method is constructed, the secret implicitly given 
by this method being the key (k) to be established; 
in the central station (Z) , n-1 further shares 
(s^^i, ...Ssn-i) differing from shares (Si,...,Sn) are 
calculated, together with the value g"^ in G, and 
transmitted to the subscribers (Tl-Tn) ; and 
c) for each subscriber (Ti) , the key (k) to be 

established is reconstructed in that, from the 
value (g^) transmitted by the central station 
(Z) , and the random number (i) of the 
subscriber (Ti) in question, the value for (g^) 
in G is calculated; that from the resulting 
value, applying a threshold method, the share 
(Si) is derived, and that, on the basis of the 
share (s.,) and the shares (s^^^, ...Ssn-i) 
transmitted by the central station (Z) , the key 
(k) is reconstructed with the aid of the (n,2,- 
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1. A Method for Establishing a Common Key Between a Central 
Station and a Group of Subscribers 

2 . Abstract 

2.1. It is intended that the present method for generating a 
common key between a central station and a group of at 
least three subscribers exhibit the same standard of 
security as the DH method. 

2.2. The method is based on a publicly known mathematical 
number group (G) and an element of the group geG of a 
high order. Each of the n subscribers generates a random 
number (i) , calculates the value of g^ in G, and transmits 
this value to the central station (Z) . In the central 
station (Z) , a random number (z) is likewise generated, 
and the values (g^^) ^ in G are calculated. From these 
values, the shares are derived on the basis of a 
threshold method and, from these, a (n,2n-l) threshold 
method is constructed. The central station (Z) transmits 
the generated shares, together with the values (g^)'', to 
the n subscribers, who, using the (n,2n-l) threshold 
method, can reconstruct the key (k) , 

2.3. The method in accordance with the present invention can 
be advantageously used for generating a cryptographic key 
for a group of a plurality, however of at least three, 
subscribers . 
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METHOD FOR ESTABLISHING A COMMON KEY 
BETWEEN A CENTRAL STATION AND A GROUP OF SUBSCRIBERS 

Field of the Invention 

The present invention is directed to a method for 
establishing a common key between a central station and a 
group of subscribers according to the definition of the 
species in the independent claim. 

Background Information 

There are many diverse encryption methods in the related 
art, and these methods have gained in commercial 
importance. They are used for transmitting information 
over generally accessible transmission media. However, 
only the owner of a cryptographic key is able to read 
this information in plain text. 

A known method for establishing a common key via insecure 
communication channels is, for example, the W. Diffie and 
W. Hellman method (see DH method, W. Diffie and M. 
Hellmann; see ^^New Directions in Cryptography", IEEE 
Transactions on Information Theory, IT-22 (6) : 644-654 , 
November 1976) . 

The Dif f ie-Hellmann key exchange [DH76] is based on the 
fact that it is virtually impossible to calculate 
logarithms modulo a large prime number p. Alice and Bob 
take advantage of this fact in the example illustrated 
below, by each secretly choosing a number x and y, 
respectively, smaller than p (and prime to p-1) . They 
then send each other (consecutively or simultaneously) 
the x-th (and, respectively, y-th) power of a publicly 
known number a. From the received powers, they are able 
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to calculate a common key K:=a''^ by again performing an 
exponentiation with x and y, respectively. An attacker, 
who sees only and , is not able to calculate K 
therefrom. (The method known today to do so would involve 
first calculating the logarithm, e.g. of ot^ to the base a 
modulo p, and then raising to that power.) 
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Alice 



Secretly chooses x 



a 



Forms K: = (a^)"" - a.'' 



Bob 



Secretly 
chooses y 



Forms K: =(a'')^ 

oe'y 



2 0 Example of the Dif f ie-Helmann key exchange 

The problem that exists in the case of the DH key 
exchange is that Alice does not know whether she is 
actually communicating with Bob or with an impostor. In 
2 5 IPSec, this problem is solved by the use of public key 

certificates in which the identity of a subscriber is 
linked to a public key by a trustworthy authority. In 
this way, the identity of a conversation partner is can 
be verified. 



30 
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The DH key exchange can also be implemented using other 
mathematical structures, such as finite fields GF(2^) or 
elliptical curves. With such alternatives, one can 
improve performance . 

However, this method is only suitable for agreement of a 
key between two subscribers. 

Various attempts have been made to extend the DH method 
NY01 364268 v1 2 SUBSTITUTE SPECIFICATION 



to three or more subscribers (DH groups) . M. Steiner, G. 
Tsudik, and M. Waidner provide an overview of the state 
of the art in ^^Dif f ie-Hellman Key Distribution Extended 
to Group Communication", Proc . 3rd ACM Conference on 
Computer and Communications Security, March 1996, New 
Delhi, India, 



The following table illustrates an example where the DH 
method is extended to three subscribers A, B and C (in 
each case, calculations are mod p) : 







B-»C 


c->A 


-j_st round 








2'^'^ round 




g 


gbC 



Once these two rounds have been carried out, each of the 
subscribers is able to calculate the secret key g^^^ mod 

P- 

In all of these extensions, at least one of the following 

problems occurs : 

The subscribers must be arranged in a certain 
manner, in the above example, for instance, in a 
circle . 

The subscribers have no influence on the key 
selection vis-a-vis the central station. 
The number of rounds is dependent on the number of 
subscribers . 

As a general rule, these methods are difficult to 
implement and require substantial computational outlay. 

Another method for establishing a common key is known 
from German Patent No. DE 195 38 385,0. In this method, 
however, the central station must know the secret keys of 
the subscribers. 
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Another approach is known from Burmester, Desmedt, ''A 
Secure and Efficient Conference Key Distribution System", 
Proc. EUROCRYPT' 94, Springer LNCS, Berlin 1994, where two 
rounds are required to generate the key, it being 
necessary to send n communications of a length of p = 
approx. 1000 bits through the central station for n 
subscribers in the second round. 

A cryptographic method described as the (n,t) threshold 
method is also known. In an (n,t) threshold method, a key 
k can be decomposed into t parts (referred to as 
shadows) , so that this key k can be reconstructed from 
any n of the t shadows (see Beutelspacher , Schwenk, 
Wolfenstetter : Moderne Verfahren der Kryptographie (2nd 
edition) , Vieweg Publishers, Wiesbaden, 1998) . 

In IEEE Infocom '93, The Conference on Computer 
Communications Proceedings, Twelfth Annual Joint 
Conference of the IEEE Computer and Communications 
Societies, Networking: Foundation for the Future (cat. 
no. 93CH3264-9) (3/28/1993), vol. 3, pp. 1406-1413, ^^On 
the Design of Conference Key Distribution Systems for the 
Broadcasting Networks", a method is described for 
establishing a common key between a central station 
(chairman) and a group of n subscribers, where a 
threshold method is employed. In this approach, the 
central station (chairman) selects a common key. The 
method presupposes a secure channel between the chairman 
and the subscribers. A secure channel of this kind can be 
established, for example, using the DH method [DH76] 
indicated above, or a variant. However, for this, two 
communications are necessary for each subscriber, in 
order to negotiate a common key between the n subscribers 
and the central station (chairman) , and to transmit a 
communication around the '^public shadows" . 
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Thus, altogether 2n+l communications are required in 
order to establish the common key. 



Summary of the Invention 

5 

The present invention provides a method for generating a 
common key between a central station and a group of at 
least three subscribers exhibit the same standard of 
security as the DH method. The method can be based on a 

10 publicly known mathematical number group (G) and an 

element of the group geG of a high order. Each of the n 
subscribers generates a random number (i) , calculates the 
value of g^ in G, and transmits this value to the central 
station (Z) . In the central station (Z) , a random number 

15 (z) is likewise generated, and the values (g^) ^ in G are 

calculated. From these values, the shares are derived on 
the basis of a threshold method and, from these, a (n,2n- 
1) threshold method is constructed. The central station 
(Z) transmits the generated shares, together with the 

20 values (g^) % to the n subscribers, who, using the (n,2n- 

1) threshold method, can reconstruct the key (k) . The 
method in accordance with the present invention can be 
used for generating a cryptographic key for three or more 
subscribers . 

25 

Detailed Description 

The present invention provides a method for generating a 
common key between a central station and a group of at 
3 0 least three subscribers having the same security 

standards as the DH method. In this context, the method 
can be simple to implement and require minimal 
computational outlay. 



3 5 The present invention is based, inter alia, on the same 

mathematical structures as the DH method and, therefore, 
has comparable security features. In comparison to the 
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group DH methods proposed in known methods heretofore, it 
is substantially more efficient with respect to 
computational outlay and communication requirements. 

The operating principle of the method according to the 
present invention is elucidated in the following. In this 
instance, the central station is denoted by Z, defined 
subscribers in the method by Tl-Tn, and every single 
subscriber, who is not specifically named, by Ti . The 
publicly known components of the method include a 
publicly known mathematical group G, preferably the 
multiplicative group of all integral numbers modulo a 
large prime number p, and an element g of the group G, 
preferably a number 0<g<p having a high multiplicative 
order. For group G, however, other suitable mathematical 
structures can also be used, e.g., the multiplicative 
group of a finite field, or the group of the points of an 
elliptical curve . 

The method can be carried out in three steps. In a first 
step, a communication in the form (Ti, g^ mod p) can be 
sent by each subscriber Ti to the central station, i 
being a random number of subscriber Ti selected by a 
random number generator. 

In a second work step, in central station Z: 

- A random number z is generated, and the number (g^)^ 
mod p is calculated for each subscriber Ti . 

- From these n numbers, n shares are then differentiated 
for n subscribers in central station Z, using a 
generally known (n, 2n-l) threshold method. 

- n-1 further shares s'-s^"^ are selected in central 
station Z and sent, together with the number g^ mod p, 
to all subscribers Tl-Tn. 



NY01 364268 v 1 



6 SUBSTITUTE SPECIFICATION 



In a third work step, the common key k can be calculated 
for each subscriber Ti,- (g^)^ mod p = (g^) ^ mod p being 
calculated; 

- from this, a share of the threshold method being 
5 differentiated; and 

on the basis of this share and s\ . . , s'^^S common key 
k being determined as the secret . 

On the basis of a practical example, the method according 
10 to the present invention is elucidated in the following 

for three subscribers A, B, and C, as well as a central 
station Z. However, the number of subscribers can be 
increased to any desired number. In this example, the 
length of number p is 1024 bits; g has a multiplicative 
15 order of at least 2^^^ 

An embodiment of the method in accordance with the 
present invention can be carried out as follows: 

- Subscribers A, B and C send g^ mod p, g^ mod p and g'^ 
2 0 mod p to central station Z. 

- g^'^ mod p, g^^ mod p and g^^ mod p are calculated in 
central station Z, in each case the 128 least 
significant bits thereof being used as shares S^^, Sg 
and, respectively, Sc- In central station Z, applying 

25 the (n,2,-l) threshold method, a 2''^ degree 

polynomial P (x) , which passes through points (1,Sa), 
(2,Sb), and (3,Sc) and is uniquely defined by these 
points, is calculated over a finite field GF(2^^^). 
Common key k is the point of intersection of this 

30 polynomial with the y-axis, i.e., k; =P(0). Central 

station Z transmits g^ mod p, Si;=P(4) and S2;=P(5) 
to subscribers A, B and C. 

For subscriber A, (g^)^ mod p is calculated. In the 
result, subscriber A having the 128 least 
35 significant bits of this value receives share s^, 

which, together with shares s^ and Ss is sufficient 
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to determine polynomial P' (x) and, thus, also key k. 
One proceeds analogously for subscribers B and C. 

The method described above can use a minimum number of 
5 two rounds between subscribers Tl-Tn and central station 

Z. In contrast to the Burmester and Desmedt approach, the 
outlay for character strings to be transmitted by the 
central station to the n subscribers can be reduced in 
the second round to a length of 12 8 bits per subscriber. 
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Abstract 

The present invention provides a method for generating a 
common key between a central station and a group of 
5 subscribers, e.g., at least three subscribers, exhibit 

the same standard of security as the DH method. 
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JCOS Rec'd PCT/PTO 0 9 APR 2001 

09/807176 

[2345/149] 



METHOD FOR ESTABLISHING A COMMON KEY 
BETWEEN A CENTRAL STATION AND A GROUP OF SUBSCRIBERS 

Field of the Invention 

The present invention is directed to a method for 
establishing a common key between a central station and a 
5 group of subscribers according to the definition of the 

species in the independent claim. 

Background Information 

10 There are many diverse encryption methods in the related 

art, and these methods have gained in commercial 
importance. They are used for transmitting information 
over generally accessible transmission media. However, 
only the owner of a cryptographic key is able to read 

15 this information in plain text. 

A known method for establishing a common key via insecure 
communication channels is, for example, the W. Diffie and 
W. Hellman method (see DH method, W. Diffie and M. 
20 Hellmann; see ''New Directions in Cryptography'', IEEE 

Transactions on Information Theory, IT-22 (6) : 644-654 , 
November 1976) . 

The Dif f ie-Hellmann key exchange [DH76] is based on the 
25 fact that it is virtually impossible to calculate 

logarithms modulo a large prime number p. Alice and Bob 
take advantage of this fact in the example illustrated 
below, by each secretly choosing a number x and y, 
respectively, smaller than p (and prime to p-1) . They 
30 then send each other (consecutively or simultaneously) 

the x-th (and, respectively, y-th) power of a publicly 
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known number a. From the received powers, they are able 
to calculate a common key K:=a''^ by again performing an 
exponentiation with x and y, respectively. An attacker, 
who sees only a"^ and a^, is not able to calculate K 
5 therefrom. (The [only ] method known today to do so would 

involve first calculating the logarithm, e.g. of a"" to the 
base a modulo p, and then raising to that power.) [ ] 



10 



15 



20 



Alice 



Secretly chooses x 



ay 



Forms K: (a>^) ^ - a^^ 



Bob 



Secretly 
chooses y 



Forms K: = (a"") ^ = 



a" 



Example of the Dif f ie-Helmann key exchange 



The problem that exists in the case of the DH key 
exchange is that Alice does not know whether she is 

25 actually communicating with Bob or with an impostor. In 

IPSec, this problem is solved by the use of public key 
certificates in which the identity of a subscriber is [ 
] linked to a public key by a trustworthy authority. In 
this way, the identity of a conversation partner is can 

30 be verified. 



The DH key exchange can also be implemented using other 
mathematical structures, such as finite fields GF(2'') or 
elliptical curves. With such alternatives, one can 
3 5 improve performance. 

However, this method is only suitable for agreement of a 
key between two subscribers . 
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Various attempts have been made to extend the DH method 
to three or more subscribers (DH groups) , M. Steiner, G. 
Tsudik, and M. Waidner provide an overview of the state 
of the art in ^'Dif f ie-Hellman Key Distribution Extended 
5 to Group Communication's Proc . 3rd ACM Conference on 

Computer and Communications Security, March 1996, New 
Delhi , India . 



The following table illustrates an example where the DH 
10 method is extended to three subscribers A, B and C (in 

each case, calculations are mod p) : 





A->B 


B-^C 


C->A 


1^^ round 






g= 


2nd ]^oijnd 


gca 


gab 





Once these two rounds have been carried out, each of the 
subscribers is able to calculate the secret key g^^"" mod 
P- 

20 

In all of these extensions, at least one of the following 
problems occurs : 

- The subscribers must be arranged in a certain 
manner, in the above example, for instance, in a 

25 circle, 

- The subscribers have no influence on the key 
selection vis-a-vis the central station. 

- The number of rounds is dependent on the number of 
subscribers . 

30 

As a general rule, these methods are difficult to 
implement and require substantial computational outlay. 



[ 

35 ] Another method for establishing a common key is known 

from [the ] German Patent No. DE 195 38 385,0. In this 
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method, however, the central station must know the secret 
keys of the subscribers. 



FAnl Another approach is [ also] known from Burmester, 
5 Desmedt, ''A Secure and Efficient Conference Key 

Distribution System", Proc . EUROCRYPT ' 94 , Springer LNCS, 
Berlin 1994, where two rounds are required to generate 
the key, it being necessary to send n communications of a 
length of p = approx. 1000 bits through the central 
10 station for n subscribers in the second round. 

A cryptographic method described as the (n,t) threshold 
method is also known. In an (n,t) threshold method, a key 
k can be decomposed into t parts (referred to as 
15 shadows), [in such a way] so that this key k can be 

reconstructed from any n of the t shadows (see 
Beutelspacher, Schwenk, Wolf enstetter : Moderns Verfahren 
der Kryptographie (2nd edition) , Vieweg Publishers, 
Wiesbaden, 1998) . 

20 

[It is intended that the present] In IEEE Infocom '93. The 
Conference on Computer Communications Proceedings. 
Twelfth Annual Joint Conference of the IEEE Computer and 
Communications Societies. Kfetworkina: Foundation for the 

2 5 Future (cat, no. 93CH3264~9) (3/28/1993), vol. 3. dp. 

1406-1413. ^^Qn the Design of Conference Key Distribution 
Systems for the Broadcasting Networks" . a method is 
described for establishing a common key between a cen tral 
station (chairman) and a group of n subscribers, where a 

3 0 threshold method is employed. In this appro ach, the 

central station (chairman) selects a common key. The 
method presup poses a secure channel between the chairman 
and the subscribers. A secure channel of this kind can be 
established, for example, using the DH method [DH76] 
3 5 indicated above, or a variant. However, for this, two 

communications are necessary for each subscriber, in 
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order to negotiate a common key between the n subscribers 
and the central station (chairman) , and to transmit a 
communication around the ^'public shadows" . 

5 Thus, altogether 2n+l communications are required in 

order to establish the common key. 

Summary of the Inv ention 

10 The present invention provides a method for gene rating a 

common key between a central station and a group of at 
least three subscribers exhibit the same standard of 
security as the DH method. The method can be based on a 
publicly known mathematical number group (G) and an 

15 element of the group geG of a high order. Each of the n 

subscribers generates a random number (i ) , calculates the 
value of g^ in G. and transmits this value to the central 
station (Z) . In t he central station (Z) , a random number 
(z) is likewise generated, and the values (g' ) in G are 

2 0 calculated. From these values, the shares are derived on 

the basis of a threshold method and, from these, a (n.2n- 
1) threshold meth od is const ructed. The central station 
(Z) transmits the generated shares, together with the 
values (g"-)^. to the n subscribers, who, using the (n,2n~ 

2 5 1) threshold method, can reconstruct the key (k) , The 

method in accordance with the present invention can be 
used for generating a cryptographic key for three or more 
subscribers . 

3 0 Detailed Description 

The present invention provides a method for generating a 
common key between a central station and a group of at 
least three subscribers [have] having the same security 
3 5 standards as the DH method. In this context, [however, 

] the method [should] can be simple to implement and 
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require minimal computational outlay. [It should be so 
conceived that there is no need, in the process, for the 
subscribers' secret keys to be made known to the central 
station . 

5 

The method according to the ] 

The present invention is [equal to this task. It is 
] based , inter alia, on the same mathematical structures 
10 as the DH method and, therefore, has comparable security 

features. In comparison to the group DH methods proposed 
in known methods heretofore, it is substantially more 
efficient with respect to computational outlay and 
communication requirements. 

15 

The operating principle of the method according to the 
present invention is elucidated in the following. In this 
instance, the central station is denoted by Z, defined 
subscribers in the method by Tl-Tn, and every single 

20 subscriber, who is not specifically named, by Ti . The 

publicly known components of the method include a 
publicly known mathematical group G, preferably the 
multiplicative group of all integral numbers modulo a 
large prime number p, and an element g of the group G, 

25 preferably a number 0<g<p having a high multiplicative 

order. For group G, however, other suitable mathematical 
structures can also be used, e.g., the multiplicative 
group of a finite field, or the group of the points of an 
elliptical curve. 

30 

The method [is] can be carried out in [three work steps. 
In the] three steps. In a first step, a communication in 
the form (Ti, g^ mod p) [is] can be sent by each subscriber 
Ti to the central station, i being a random number of 
3 5 subsc riber Ti selected by a random number generator. 
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In [the] a second work step, in central station Z: 

- A random number z is generated, and the number (g^) ^ 
mod p is calculated for each subscriber Ti . 

- From these n numbers, n shares are then differentiated 
for n subscribers in central station Z, using a 
generally known (n, 2n-l) threshold method. 

- n-1 further shares s^-s"""^ are selected in central 
station Z and sent, together with the number g^ mod p, 
to all subscribers Tl-Tn, 



In [the] a third work step, the common key k [is] can be 
calculated for each subscriber Ti, [ 

- ]:::_(g'')^ Tnod p = (g^) ^ mod p being calculated; [ 
] 

15 - from this, a share of the threshold method being 

differentiated; and_ 

- on the basis of this share and s^, . . .s"^"^, common key 
k being determined as the secret. 

2 0 On the basis of a practical example, the method according 

to the present invention is elucidated in the following 
for three subscribers A, B, and C, as well as a central 
station Z. However, the number of subscribers can be 
increased to any desired number. In this example, the 

25 length of number p is 1024 bits; g has a multiplicative 

order of at least 2^^°. 



[T] An embodiment of t he method in accordance with the 
present invention [isl can be carried out [in accordance 
3 0 with the following method steps] as follows : 

— Subscribers A, B and C send g^ mod p, g^ mod p and g^ 
mod p to central station Z. 

- <3^^ mod p, g^^ mod p and g""^ mod p are calculated in 
central station Z, in each case the 128 least 

35 significant bits thereof being used as shares [sjS^, 

[s]Sb and, respectively, [s]Sc. In central station Z, 
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applying the {n,2,-l) threshold method, a 2'''^ degree 
polynomial P (x) , which passes through points (1,3^)/ 
(2,Sb), and (3,Sc) and is uniquely defined by these 
points, is calculated over a finite field GF(2^^®). 
5 Common key k is the point of intersection of this 

polynomial with the y-axis, i.e., k; =p(o). Central 
station Z transmits g^ mod p, Si;=P(4) and S2;=P(5) 
to subscribers A, B and C. 

For subscriber A, (g"^)^ mod p is calculated. In the 
10 result, subscriber A having the 12 8 least 

significant bits of this value receives share s^, 
which, together with shares s^ and Ss is sufficient 
to determine polynomial P' (x) and, thus, also key k. 
One proceeds analogously for subscribers B and C. 

15 

The method described above [makes do with the] can use a 
minimum number of two rounds between subscribers Tl-Tn 
and central station Z. In contrast to the Burmester and 
Desmedt approach, the outlay for character strings to be 
20 transmitted by the central station to the n subscribers 

can be reduced in the second round to a length of 12 8 
bits per subscriber. 



25 
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[ 

2 . ] Abstract 



[2.1. It is intended that t]The present invention 

5 provides a method for generating a common key 

between a central station and a group of 
subscribers, e,Q.. at least three subscribers^ 
exhibit the same standard of security as the DH 
method . 

10 

[2,2. The method is based on a publicly known mathematical 

number group (G) and an element of the group geG of 
a high order. Each of the n subscribers generates a 
random number (i) , calculates the value of g"" in G, 

15 and transmits this value to the central station (Z) . 

In the central station (Z) , a random number (z) is 
likewise generated, and the values (g^) ^ in G are 
calculated. From these values, the shares are 
derived on the basis of a threshold method and, from 

2 0 these, a (n,2n-l) threshold method is constructed. 

The central station (Z) transmits the generated 
shares, together with the values (g^)^, to the n 
subscribers, who, using the (n,2n-l) threshold 
method, can reconstruct the key (k) .] 

[2.3. The method in accordance with the present invention 

can be advantageously used for generating a 
cryptographic key for a group of a plurality, 
however of at least three, subscribers. ] 
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DECLARATION AND POWER OF ATTORNEY 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to 

my name. 

I believe I am an original, first and sole inventor of the subject matter which is 
claimed and for which a patent is sought on the invention entitled METHOD FOR 
ESTABLISHING A COMMON KEY BETWEEN A CENTRAL STATION AND A 
GROUP OF SUBSCRIBERS, the specification of which was filed as Intemational 
Application No. PCT/EP99/07052 on September 22, 1999 and filed as a U.S. application 
having Serial No. 09/807176 on April 9, 2001 for Letters Patent in the U.S. Patent and 
Trademark Office. 

I hereby state that I have reviewed and understand the contents of the 
above-identified specification, including the claims. 

I acknowledge the duty to disclose information which is material to the 
examination of this application in accordance with Title 37, Code of Federal Regulations, 
§ 1.56(a). 

I hereby claim foreign priority benefits under Title 35, United States Code, § 
119 of any foreign apphcation(s) for patent or inventor's certificate listed below and have also 
identified below any foreign apphcation(s) for patent or inventor's certificate having a filing 
date before that of the application on which priority is claimed: 

PRIOR FOREIGN APPLICATION(S) 

Number Country Day/Month/Year Priority Claimed 

Filed Under 35 use 119 

198 479 44. 1 Fed, Rep. of 9 October 1998 Yes 

Germany 
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^\ And I hereby appoint Richard L. Mayer (Reg. No . 22,4S iD. Gerard A. Messina 
(Reg. No. 3i,,95^and Linda M. Shudy (Reg. No. 47^0§^) my attorneys with Ml power of 
substitution and revocation, to prosecute this appUcation and to transact all business in the 
Patent and Trademark Office connected therewith. 



Please address all communications regarding this application to: 



KENYON & KENYON 
One Broadw^ 

CUSTOMER Nal6646 



Please direct all telephone calls to Richard L. Mayer at (212) 425-7200. 



I hereby declare that all statements made herein of my own knowledge are true 
and that all statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the like so 
made are punishable by fine or imprisonment, or both, xmder Section 1001 of Title 18 of the 
United States Code and that such willful and false statements may jeopardize the validity of 
the application or any patent issued thereon. 
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